Selective password authentication - SSH

This is a discussion on Selective password authentication - SSH ; Using OpenSSH, is it possible to disable password authentication
selectively? I would like to allow password authentication for
incoming SSH connections from within my LAN, but not for those incoming
from the external world....

Selective password authentication

Using OpenSSH, is it possible to disable password authentication
selectively? I would like to allow password authentication for
incoming SSH connections from within my LAN, but not for those incoming
from the external world.

Re: Selective password authentication

>>>>> "FWS" == Frank W Steiner writes:

FWS> Using OpenSSH, is it possible to disable
FWS> password authentication selectively? I would like
FWS> to allow password authentication for incoming SSH
FWS> connections from within my LAN, but not for those
FWS> incoming from the external world.

sshd sets the PAM rhost item to the remote hostname or
address of a client connection, so if you set sshd to
validate passwords via PAM (UsePAM=yes), in principle a PAM
module should be able to do this. You might be able to use
a combination of standard modules for it, perhaps pam_access
configured with the desired address restrictions, required
before the password check in the sshd PAM config. This is
just off the top of my head though; I haven't tried this.

Re: Selective password authentication

On Mon, 11 Sep 2006 21:08:21 GMT, Frank W. Steiner wrote:
> Using OpenSSH, is it possible to disable password authentication
> selectively? I would like to allow password authentication for
> incoming SSH connections from within my LAN, but not for those incoming
> from the external world.

These instructions carry NO warranty. Any problems you create are
yours to keep.

The simplest way to do this is set up two ssh daemons, each with its
own policy. I've done this with RH9 and Centos4 systems. The
instructions below pertain to these systems; other distros may
use different files in different places. They assume that you
already have a working ssh listening on the LAN only.

And, of course, you'll have to dig through the files to make sure
you've made all the correct changes. It's especially important to
make sure that each daemon has its own copies of any support files
like configs, keys, startups, executables, and so on.

5. Add the new extsshd to the list of configured services
(RH9 and Centos4 style):
chkconfig --add extsshd
chkconfig --list | grep extsshd
It should be on in levels 2345
service extsshd start
This should create the necessary keys

If some update procedure updates the sshd startup file,
you'll have to change the extsshd startup file again.